pwdump3 - a Windows NT/2000 remote password hash grabber

by Phil Staubs, e-business technology

Distribution site:
http://www.ebiz-tech.com/pwdump3


DESCRIPTION:

This program grabs password hashes from remote Windows NT/2000 machines.  It 
prints them to the screen in standard L0phtcrack format, or will optionally write 
them to a file if desired.  


USAGE:

PWDUMP3 machineName [outputFile] [userName]

Install the executable files (pwdump3.exe, lsaext.dll, and pwservice.exe) in a 
single directory.  Running PWDUMP3 with no parameters causes the usage information 
to be displayed.  The first parameter is the remote machine from which the hash
is to be extracted.  It can be a machine name with or without leading backslashes, 
or it can be an IP address.  

The second parameter specifies a filename for the program's output.  This is 
optional.  Output may also be redirected to a file.  In either case, only the 
usernames and hashes go to the output file.  The output file is suitable for use 
as an input to the L0phtCrack program.

The third parameter, also optional, is the username for establishing a connection 
to the remote machine.  If the username is supplied on the command line, PWDUMP3 
will prompt for a password and use these credentials to create a connection on the 
remote machine.  If a connection already exists, the username is not required.  
The connection to the remote machine must be established with administrative-level 
authority.


HOW IT WORKS:

Remote access to a machine is accomplished be by running the hash extraction 
program as a service, because Windows NT/2000 allows services to be installed and 
started remotely.  PWDUMP3 first connects to the ADMIN$ share and copies the 
service executable files there.  It then requests the Service Control Manager to 
install and then run the service program.  The extracted hash information is 
temporarily stored in the remote machine's registry.  PWDUMP3 remotely connects 
to the registry to read the stored data.  Cleanup consists of removing the 
registry data, un-installing the service, and deleting the executable files 
from the remote machine.

Once the service is running, it follows the methodology used by Todd Sabin in his 
PWDUMP2 program to access the password hashes.  The idea is to use Windows internal 
function calls to fetch the data.  Since these functions require privileged access, 
it is first necessary to gain the appropriate access priveleges.  The Local Security 
Authority Subsystem (LSASS) runs with the necessary access privilege, so PWDUMP3 
uses a technique known as DLL injection to run under the LSASS process, and thereby 
attain privileged access to the hash information.

DLL injection involves running a thread under an external process.  The thread runs 
with all the access privileges of that process.  The thread's executable code must 
first be copied to the address space of the external process.  The PWSERVICE 
program, running on the remote machine with administrative rights, adjusts its 
access privilege to Debug level.  This allows it to open and write to the memory 
space of the LSASS process.  It copies a simple thread function into the LSASS 
address space, and then runs the thread under the external process.  The thread 
loads the LSAEXT DLL and runs a function that performs the privileged hash 
extraction routine.  This routine uses undocumented, internal Windows function 
calls to enumerate the users on the system and obtain the password hashes in 
unencrypted form for each user.

The hash information must be made available to the machine from which PWDUMP3 is 
running.  The easiest way to do this is to place it in the registry, where is can 
be read remotely.  First, however, it is obfuscated with a simple function that 
uses a one-time key passed in by PWDUMP3.  This function, for each 32-bit word of 
data, performs an XOR operation between the key and the data, and then rotates 
the key right by one bit.  This is NOT strong encryption.  It merely pervents the 
hashes from being passed across the network in plain-text form.  PWDUMP3 passes 
the key as a parameter to the PWSERVICE program.  Therefore, if you are concerned 
about the possibility of someone sniffing the network for this information, do 
not use PWDUMP3.


